Certificate Fails to create when associated to a Key Vault

[TomMakes]

What happened?

I am trying to create a key vault and certificate in an existing resource group.
The key vault is able to be created, but the certificate fails with an error,
error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="The parameter Properties.KeyVaultId has an invalid value." Details=[{"Message":"The parameter Properties.KeyVaultId has an invalid value."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"51008","Message":"The parameter Properties.KeyVaultId has an invalid value.","MessageTemplate":"The parameter {0} has an invalid value.","Parameters":["Properties.KeyVaultId"]}}]

Things I've tried:

• If I try to create the certificate after the key vault has been created in a previous pulumi up, I get the same error.
• Hardcoding the KeyVaultId value as the ResourceId of the key vault still gives me the error.
• If I create the certificate without providing a KeyVaultId it is successful.
• If I create the certificate using Azure CLI, I am able to create the certificate inside of the key vault. It is successful.

Example

Cert creation script

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=US/ST=MA/L=Boston/O=TestOrg/OU=devops/CN=demo.test.io"
openssl pkcs12 -export -in cert.pem -inkey key.pem -out test-cert-2.pfx

Pulumi file

// ESLINT RULES
/* eslint-disable no-unused-vars */

import * as pulumi from '@pulumi/pulumi';
import * as azure_native from '@pulumi/azure-native';
import * as v20240401_native_web from '@pulumi/azure-native/web/v20240401';
import * as fs from 'fs';
// constants
import { CONSTS } from '../azure/constant_values';

// Load environment variables
// eslint-disable-next-line @typescript-eslint/no-var-requires
const dotenv = require('dotenv');
dotenv.config({ path: '../.env' });

const buildTestInfrastructure = async () => {
	// Create an Azure Resource Group
	const RESOURCE_GROUP_NAME = 'demo-test-rg';
	const AZURE_TENANT_ID = process.env.AZURE_TENANT_ID as string;

	/* *************************************************************
	 *  #KEY VAULT #KEYVAULT
	 **************************************************************** */

	const keyvault_name = 'test-key-vault';
	const keyvault = new azure_native.keyvault.Vault(
		keyvault_name,
		{
			location: CONSTS.LOCATION.CENTRAL_US_LOWER,
			properties: {
				accessPolicies: [
					{
						// group for devops
						objectId: '958d1200-4a93-4cfd-8019-b61847252a9b',
						permissions: {
							secrets: [
								azure_native.keyvault.SecretPermissions.Get,
								azure_native.keyvault.SecretPermissions.List,
								azure_native.keyvault.SecretPermissions.Set,
								azure_native.keyvault.SecretPermissions.Delete,
								azure_native.keyvault.SecretPermissions.Backup,
								azure_native.keyvault.SecretPermissions.Restore,
								azure_native.keyvault.SecretPermissions.Recover,
								azure_native.keyvault.SecretPermissions.Purge
							],
							keys: [
								azure_native.keyvault.KeyPermissions.Get,
								azure_native.keyvault.KeyPermissions.List,
								azure_native.keyvault.KeyPermissions.Update,
								azure_native.keyvault.KeyPermissions.Create,
								azure_native.keyvault.KeyPermissions.Delete,
								azure_native.keyvault.KeyPermissions.Purge
							],
							certificates: [
								azure_native.keyvault.CertificatePermissions.Get,
								azure_native.keyvault.CertificatePermissions.List,
								azure_native.keyvault.CertificatePermissions.Delete,
								azure_native.keyvault.CertificatePermissions.Create,
								azure_native.keyvault.CertificatePermissions.Import,
								azure_native.keyvault.CertificatePermissions.Update,
								azure_native.keyvault.CertificatePermissions.Getissuers,
								azure_native.keyvault.CertificatePermissions.Listissuers,
								azure_native.keyvault.CertificatePermissions.Recover,
								azure_native.keyvault.CertificatePermissions.Purge,
								azure_native.keyvault.CertificatePermissions.Backup,
								azure_native.keyvault.CertificatePermissions.Restore
							]
						},
						tenantId: AZURE_TENANT_ID
					}
				],
				enableRbacAuthorization: false,
				enableSoftDelete: false,
				enabledForDeployment: true,
				enabledForDiskEncryption: true,
				enabledForTemplateDeployment: true,
				provisioningState:
					azure_native.keyvault.VaultProvisioningState.Succeeded,
				publicNetworkAccess: 'Enabled',
				sku: {
					family: azure_native.keyvault.SkuFamily.A,
					name: azure_native.keyvault.SkuName.Standard
				},
				softDeleteRetentionInDays: 90,
				tenantId: AZURE_TENANT_ID,
				vaultUri: `https://${keyvault_name}.vault.azure.net/`
			},
			resourceGroupName: RESOURCE_GROUP_NAME,
			vaultName: keyvault_name
		},
		{
			protect: false
		}
	);

	const ssl_cert_name = 'test-cert';
	const ssl_cert_password = process.env.SSL_CERT_PASSWORD;
	const ssl_cert_filename = `../certs/2025/test-cert-2.pfx`;

	const ssl_certificate = new v20240401_native_web.Certificate(ssl_cert_name, {
		keyVaultId:
			keyvault.id,
		name: ssl_cert_name,
		resourceGroupName: RESOURCE_GROUP_NAME,
		location: CONSTS.LOCATION.CENTRAL_US_LOWER,
		pfxBlob: Buffer.from(
			fs.readFileSync(ssl_cert_filename) as unknown as string,
			'binary'
		).toString('base64'),
		password: ssl_cert_password
	});

};
buildTestInfrastructure().then(async () => {
	console.log('done');
});

Output of pulumi about

CLI
Version 3.134.1
Go Version go1.23.1
Go Compiler gc

Plugins
KIND NAME VERSION
resource azure 6.0.0
resource azure-native 2.65.1
resource azuread 5.53.4
language nodejs unknown
resource random 4.13.2

Host
OS Microsoft Windows 11 Pro
Version 10.0.22631 Build 22631
Arch x86_64

This project is written in nodejs: executable='C:\Program Files\nodejs\node.exe' version='v18.10.0'

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[danielrbradley]

Hi @TomMakes sorry you're having some challenges with this resource. I've done a little digging myself and can't see anything obviously wrong with your setup. I've not been able to run the sample code as it depends on a few external pieces to be implemented (env, consts and the actual cert binary).

If the creation via the CLI is working, I'd suggest using that to export an ARM template and inspect how that is structured. This might give an indication as to the values the Azure service is happy with.

Another option to try out is using a different version of the resource. These are located as sub-packages within the azure-native SDK e.g. @pulumi/azure-native/web/v20240401. The behaviour sometimes varies between API versions. The default version is currently using 2022-09-01 for the web.Certificate so this might be fixed in a more recent version.

[TomMakes]

Hi @danielrbradley
I updated my example code and provided the commands I used to generate the cert I'm using. I hope this helps you with reproducing the error.

I looked at the ARM template, and it doesn't look too useful.

I tried using v20240401_native_web and it gave me the same error, so sadly that didn't fix anything.

Here is the ARM template output

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "vaults_test_key_vault_3_name": {
            "defaultValue": "test-key-vault-3",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.KeyVault/vaults",
            "apiVersion": "2024-04-01-preview",
            "name": "[parameters('vaults_test_key_vault_3_name')]",
            "location": "centralus",
            "properties": {
                "sku": {
                    "family": "A",
                    "name": "standard"
                },
                "tenantId": "35a7d303-0fa8-4387-a3ba-9416897264e1",
                "accessPolicies": [
                    {
                        "tenantId": "35a7d303-0fa8-4387-a3ba-9416897264e1",
                        "objectId": "958d1200-4a93-4cfd-8019-b61847252a9b",
                        "permissions": {
                            "certificates": [
                                "get",
                                "list",
                                "delete",
                                "create",
                                "import",
                                "update",
                                "getissuers",
                                "listissuers",
                                "recover",
                                "purge",
                                "backup",
                                "restore"
                            ],
                            "keys": [
                                "get",
                                "list",
                                "update",
                                "create",
                                "delete",
                                "purge"
                            ],
                            "secrets": [
                                "get",
                                "list",
                                "set",
                                "delete",
                                "backup",
                                "restore",
                                "recover",
                                "purge"
                            ]
                        }
                    }
                ],
                "enabledForDeployment": true,
                "enabledForDiskEncryption": true,
                "enabledForTemplateDeployment": true,
                "enableSoftDelete": false,
                "softDeleteRetentionInDays": 90,
                "enableRbacAuthorization": false,
                "vaultUri": "[concat('https://', parameters('vaults_test_key_vault_3_name'), '.vault.azure.net/')]",
                "provisioningState": "Succeeded",
                "publicNetworkAccess": "Enabled"
            }
        },
        {
            "type": "Microsoft.KeyVault/vaults/keys",
            "apiVersion": "2024-04-01-preview",
            "name": "[concat(parameters('vaults_test_key_vault_3_name'), '/test-cert-2')]",
            "location": "centralus",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_test_key_vault_3_name'))]"
            ],
            "properties": {
                "attributes": {
                    "enabled": true,
                    "nbf": 1733255158,
                    "exp": 2048615158
                }
            }
        },
        {
            "type": "Microsoft.KeyVault/vaults/secrets",
            "apiVersion": "2024-04-01-preview",
            "name": "[concat(parameters('vaults_test_key_vault_3_name'), '/test-cert-2')]",
            "location": "centralus",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_test_key_vault_3_name'))]"
            ],
            "properties": {
                "contentType": "application/x-pkcs12",
                "attributes": {
                    "enabled": true,
                    "nbf": 1733255158,
                    "exp": 2048615158
                }
            }
        }
    ]
}

[thomas11]

Hi @TomMakes, could it be missing permissions to the Vault? The docs here say

By default, 'Microsoft.Azure.WebSites' Resource Provider (RP) doesn't have access to the Key Vault specified in the template hence you need to authorize it by executing the following PowerShell commands before deploying the template

and I don't see such an access policy for your Vault. Although, admittedly, the "invalid value" error would be strange in this cause.

If that still doesn't help, could you run pulumi up --logtostderr --logflow -v=9 2> out.txt to enable debug logging? Outgoing requests to Azure are marked by Request: ==> OUTGOING REQUEST and could help us spot the problem.

[TomMakes]

Hi @thomas11, I've been poking around these past few days and tried a few things:

1. I added the permission to my vault for Microsoft.Azure.WebSites (resourceID abfa0a7c-a6b6-4736-8310-5855508787cd) so it can get secrets.
   This didn't have an effect on the issue. I also tried looking around my Azure environment to see if possibly Microsoft.Azure.WebSites had a different resourceID from what was posted, but I couldn't locate any resource with that name.
2. I thought that I could look into how certificates are imported through ARM, but I learned that there is no support for importing certificates that way.
   https://learn.microsoft.com/en-us/azure/key-vault/certificates/faq#can-i-import-a-certificate-by-using-an-arm-template-

No, it isn't possible to perform certificate operations by using an Azure Resource Manager (ARM) template.

3. I tried an older version, '@pulumi/azure-native/web/v20201201' to see if this would have an effect on the certificate import, it did not.
4. I create a debug output using level 11, as 9 was not giving me much information about the PUT request. I looked through and removed some sensitive information, like the password used for the certificate. Below is the snippet:

I1205 13:43:38.366589  237223 api.go:314] Pulumi API call details (https://api.pulumi.com/api/stacks/Wabbi/demo-test-iac/test-azure-certificate/update/40feb73a-786b-4298-936a-a1762fb9bdae/events/batch): headers=map[Accept:[application/vnd.pulumi+8] Accept-Encoding:[gzip] Authorization:[update-token eyJhbGciOiJIUzI1NiIsImtleSI6IkFBQUJBQUVDQXdCNEdvMDV3OHd6M2puNzN2WkxuUjZFeWNIOGppUHppMGR5YVpDNGRIdGR2S0lCQ0loN1hCeGN1aWE1TXhsSTQ5dUxld0FBQUg0d2ZBWUpLb1pJaHZjTkFRY0dvRzh3YlFJQkFEQm9CZ2txaGtpRzl3MEJCd0V3SGdZSllJWklBV1VEQkFFdU1CRUVET28vRU1xSElFbHFXOHZ2bVFJQkVJQTcwVUpvejZweXI5SGxuMkt2bDRHZkw5N2tRMmpsYk13eE1xSytpMHRiL1djTVBIaHRlREZQM0FwVFhMR2w3SjNEalRCOUFPc1BkYlZKcWZBPSIsInR5cCI6IkpXVCJ9.eyJleHBpcmF0aW9uVGltZSI6MTczMzQyNDQ4OSwidXBkYXRlSUQiOiI0MGZlYjczYS03ODZiLTQyOTgtOTM2YS1hMTc2MmZiOWJkYWUifQ.KI7p68I0ZxJTArxIuDPX3jC02Eu441sRxinQx9FbfUw] Content-Encoding:[gzip] Content-Type:[application/json] User-Agent:[pulumi-cli/1 (v3.142.0; linux)]]; body={"events":[{"sequence":253,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eX-Ms-Correlation-Request-Id: 495cd61a-f380-4917-b689-2afae373e1eb\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":254,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eX-Ms-Failure-Cause: gateway\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":255,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eX-Ms-Request-Id: 495cd61a-f380-4917-b689-2afae373e1eb\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":256,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eX-Ms-Routing-Request-Id: EASTUS2:20241205T184338Z:495cd61a-f380-4917-b689-2afae373e1eb\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":257,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eX-Msedge-Ref: Ref A: 0F5A28C77DCE4425A981E032CBF92DB0 Ref B: MNZ221060619029 Ref C: 2024-12-05T18:43:38Z\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":258,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003e{\"error\":{\"code\":\"ResourceNotFound\",\"message\":\"The Resource 'Microsoft.Web/certificates/test' under resource group 'demo-test-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix\"}}\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":259,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003e===================================================== HTTP Response End GET https://management.azure.com/subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/demo-test-rg/providers/Microsoft.Web/certificates/test?api-version=2024-04-01\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":260,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eI1205 13:43:38.124859  237622 client.go:441] HTTP Request Begin PUT https://management.azure.com/subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/demo-test-rg/providers/Microsoft.Web/certificates/test?api-version=2024-04-01 ===================================================\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":261,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003ePUT /subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/demo-test-rg/providers/Microsoft.Web/certificates/test?api-version=2024-04-01 HTTP/1.1\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":262,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eHost: management.azure.com\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":263,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eUser-Agent: Go/go1.22.7 (amd64-linux) go-autorest/v14.2.1 Go/go1.22.7 (amd64-linux) go-autorest/v14.2.1 pulumi-azure-native/2.65.1 pid-a90539d8-a7a6-5826-95c4-1fbef22d4b22\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":264,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eContent-Length: 6039\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":265,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eContent-Type: application/json; charset=utf-8\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":266,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003e{\"location\":\"centralus\",\"properties\":{\"keyVaultId\":\"/subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/demo-test-rg/providers/Microsoft.KeyVault/vaults/test-key-vault-3\",\"password\":\"REDACTED\",\"pfxBlob\":\"REDACTED\"}}\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":267,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003e===================================================== HTTP Request End PUT https://management.azure.com/subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/
I1205 13:43:39.015095  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>I1205 13:43:39.014971  237622 client.go:464] HTTP Response Begin PUT [https://management.azure.com/subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/wabbi-test-rg/providers/Microsoft.Web/certificates/test?api-version=2024-04-01 ===================================================
<{%reset%}>)
I1205 13:43:39.015184  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>HTTP/2.0 400 Bad Request
<{%reset%}>)
I1205 13:43:39.015207  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Content-Length: 459
<{%reset%}>)
I1205 13:43:39.015216  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Cache-Control: no-cache
<{%reset%}>)
I1205 13:43:39.015229  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Content-Type: application/json; charset=utf-8
<{%reset%}>)
I1205 13:43:39.015238  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Date: Thu, 05 Dec 2024 18:43:38 GMT
<{%reset%}>)
I1205 13:43:39.015248  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Expires: -1
<{%reset%}>)
I1205 13:43:39.015255  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Pragma: no-cache
<{%reset%}>)
I1205 13:43:39.015267  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Strict-Transport-Security: max-age=31536000; includeSubDomains
<{%reset%}>)
I1205 13:43:39.015290  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Aspnet-Version: 4.0.30319
<{%reset%}>)
I1205 13:43:39.015303  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Cache: CONFIG_NOCACHE
<{%reset%}>)
I1205 13:43:39.015311  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Content-Type-Options: nosniff
<{%reset%}>)
I1205 13:43:39.015356  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Ms-Correlation-Request-Id: 5776b002-7815-4fb9-b671-9a6e581c1af1
<{%reset%}>)
I1205 13:43:39.015404  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Ms-Ratelimit-Remaining-Subscription-Global-Writes: 2999
<{%reset%}>)
I1205 13:43:39.015425  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Ms-Ratelimit-Remaining-Subscription-Writes: 199
<{%reset%}>)
I1205 13:43:39.015444  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Ms-Request-Id: 5776b002-7815-4fb9-b671-9a6e581c1af1
<{%reset%}>)
I1205 13:43:39.015466  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Ms-Routing-Request-Id: EASTUS2:20241205T184338Z:5776b002-7815-4fb9-b671-9a6e581c1af1
<{%reset%}>)
I1205 13:43:39.015481  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Msedge-Ref: Ref A: 7F2870CDC4B44891A077F4B0C6959089 Ref B: MNZ221060619029 Ref C: 2024-12-05T18:43:38Z
<{%reset%}>)
I1205 13:43:39.015500  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Powered-By: ASP.NET
<{%reset%}>)
I1205 13:43:39.015517  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>{"Code":"BadRequest","Message":"The parameter Properties.KeyVaultId has an invalid value.","Target":null,"Details":[{"Message":"The parameter Properties.KeyVaultId has an invalid value."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"51008","MessageTemplate":"The parameter {0} has an invalid value.","Parameters":["Properties.KeyVaultId"],"Code":"BadRequest","Message":"The parameter Properties.KeyVaultId has an invalid value."}}],"Innererror":null}
<{%reset%}>)
I1205 13:43:39.015536  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>===================================================== HTTP Response End PUT https://management.azure.com/

[thomas11]

Thank you for the log. We can see that the KV id is /subscriptions/REDACTED/resourceGroups/demo-test-rg/providers/Microsoft.KeyVault/vaults/test-key-vault-3 which looks correct to me (assuming that's the correct KV name, in your original program it's test-key-vault without the -3).

Unfortunately, it's hard for me to tell what Azure finds wrong here given the unhelpful error message.

However, looking around the web a bit, I get the impression that the Microsoft.Web/certificates API is only intended to add existing certificates to a web app. I.e., add the cert with the given name, in the given keyVaultId, to the web app. Here's a page on the end-to-end process - it shows how the cert is added as a plain secret (Pulumi Secret), then used via Microsoft.Web/certificates.